I have the Flash plug-in installed in my main profile and set to “never activate”. If I create a new profile, Flash is automatically set to “always activate”. That seems counter-intuitive to Mozilla’s policy towards blocking Flash by default.

The other issue I noticed is that in my main profile, the Flash version is marked as outdated and vulnerable. In the new profile, there is no such indication, although it is the same version.

These two issues combined seem a little dangerous.

This may become irrelevant once Firefox goes click-to-play on Flash content, but for people running older versions, I thought it was worth mentioning.

Hi Mo_D !Complete stab in the dark, but could it be that your Flash is now up to date : Flash Player - latest version 25.0.0.148 and Shockwave Flash - latest version 25.0.r0 ?That would explain why it's no longer marked as outdated and vulnerable.But again : complete stab in the dark .....

From what I've read Flash is a default in the newer Windows versions (52 +) of Firefox with a number of other plugins disabled.If you had VLC or Quicktime in the plugins list they would not show unless you had added the boolean item plugin.load_flash_only in about:config set to false.

A nice feature, IMO, would be to have available "global" Prefs, such that a new Profile follows such global Prefs rather then any other defaults.

In particular, pertaining to updating.If you disable updates, then open a new Profile, by default, updates are enabled, & until such time as you manually disable updating in that new Profile, you are subject to have an update queue, such that when you return to your original Profile - with updates disabled, you will get updated nonetheless.

So a way to globally disable updates, or set Flash to disabled, would be nice.

about:plugins still show the path to the Flash plugin?Make sure it is the expect file in the expected location.

Could be that when you installed the Flash update, that Flash was in use in the main browser, & until you restart the browser...

Probably a redundant remark, but as of Firefox release version 52, support for ALL plugins was dropped, EXCEPT for Flash.Personally, I think it's rather user-friendly having the choice to set Flash to either 'always activate' or 'never activate'.

therube wrote:A nice feature, IMO, would be to have available "global" Prefs, such that a new Profile follows such global Prefs rather then any other defaults.

I certainly understand your reasoning, but a new profile is used to diagnose issues and is expected to be in a particular default state. Having individual preferences available would throw a monkey wrench in to that diagnosis process.

therube wrote:In particular, pertaining to updating.If you disable updates, then open a new Profile, by default, updates are enabled, & until such time as you manually disable updating in that new Profile, you are subject to have an update queue, such that when you return to your original Profile - with updates disabled, you will get updated nonetheless.

Yes, I found this out the hard way. No big deal for me, but it could be a big deal for some people. Again, it's not necessarily expected behavior. If you think it through, it makes sense, but the average user might not expect it.

therube wrote:about:plugins still show the path to the Flash plugin?Make sure it is the expect file in the expected location.

barbaz wrote:Sounds like your main profile has a recently updated blocklist, while the new profile doesn't (yet).

I assume that update would run on launch, or 2nd launch, like software update? But it didn't. Or maybe only 24 hours later since the blocklists are updated daily?

This new profile was created today, but I noticed the same thing on a new profile I created yesterday. I deleted yesterday's profile yesterday after I finished the test I was doing. I'll launch this new one tomorrow and see if it updates.

That's all somewhat academic. The vulnerability still remains. I imagine others like me rarely update Flash anymore since I rarely use it. Someone could launch a new profile with a very old version of Flash automatically activated.

Maybe the new Profile just hasn't gotten around to updating blocklist.xml.

Compare blocklist.xml between old & new.(Or maybe just sear blocklist.xml for, 25.0.0.127 - it should be there.Do this with FF closed, cause if you open it, it might update .)

Not sure what you mean by that.

Flash can't update if it is in use.So it will wait, could wait, until the next browser restart, & if you're the type that doesn't restart...(At least it's like that in Windows. I wouldn't know about Mac.)

You guys are killing me. I have already posted the version of Flash I am running, and the most recent version available for Mac (which is the OS I am running). Get past that. We could be talking about any outdated plug-in.

There’s a reason I posted this in General instead of Support. I’m not looking for help, I’m pointing out a vulnerability made possible from creating a new profile.

In addition, I’m questioning whether Mozilla has this set up in the best (safest) possible way.

Mo_D wrote:You guys are killing me. I have already posted the version of Flash I am running, and the most recent version available for Mac (which is the OS I am running). Get past that. We could be talking about any outdated plug-in.

You're right. Sorry. Speaking for myself : I'll stay off your back.

There’s a reason I posted this in General instead of Support. I’m not looking for help, I’m pointing out a vulnerability made possible from creating a new profile.

And thank you for that !!!

In addition, I’m questioning whether Mozilla has this set up in the best (safest) possible way.

I did not. I forgot to do that before I deleted the profile. What I did do was open the profile this morning to see if Flash was marked as outdated, and it still was not. Then I visited mozilla.org and support.mozilla.org to see if that would trigger a blocklist update. It did not. Then I visited youtube and played a video. In the past, when I still used Flash regularly, this would normally trigger a notification that an update was available. But this did not trigger a blocklist update either. Finally, I visited adobe.com and played a video there. After visiting adobe, then the plug-in was marked as outdated, which I assume means the blocklist would have been updated if I had checked it.

So the blocklist process is still a bit of a mystery to me. I know it's updated once daily, and is supposed to be updated at startup. Beyond that, I dunno. Whatever the process, it seems too slow to save you in the scenario I'm describing. It seems to me that a fresh blocklist should be fetched on launch of a new profile. Even copying the existing blocklist seems like it would be preferable. If I’m correctly parsing what is happening, a blocklist is not downloaded until it is triggered by a script from adobe.com, or a certain amount of time (24 hours?) has passed.

This is from my current profile: blocklist lastupdate="1483471392954" What the heck is that? How many seconds ago? Out of curiosity, I just created another new profile and it has the same exact number. And the Flash plugin is still not shown as outdated. Searching for “25.0.0.” within the blocklist turns up no results. There are multiple items that appear to relate to Flash, so I can’t tell which is the right one.

I don’t need to know how all this works, but I am a little curious now. I’m sure there’s documentation somewhere…